Migrating a thought from domain to domain ...

d’A said ...
A browser cannot actually access two sites at the same time and be logged into both with cookies. You either proxy the information through your server which then sends it to the other site, or you use one of several browser tricks, like an iframe, or a script request, to send the information. All of those are not actually logged in, even the server poxy, so they require a secure negotiation to prove who they are, every time. The negotiation is all in the clear unless the transaction is https or it does it’s own security encryption.

pondering ...

Comments


Seth says
seth 2016-01-18 10:39:21 [item 19695#42641]
GET ing  a thought from a domain (whether it is a person on a browser or server running in a different domain) should be permitted if the entity reading is permitted to read it … according the same permissions we have now.   Ok, the server might need to have some semblance of the browser cookey … i’m sure there is a way to do that.  
dA 2016-01-18 10:42:14 [item 19695#42642]
There is always a way to do anything. It’s only weather it is 20 lines of code or 200 to make it secure for the customer and hacking safe for the server. That’s the only difference. I know how the details work.
like

Holmes says
seth 2016-01-18 10:24:44 [item 19695#42639]
thinking out loud here …

i cetainly can be logged into the same identity in different domains in the same browser.   Happens all the time.  in thinking.org i am Seth Russell authenticated to “seth.russell@bunkey.com” and in fastblogit.com i am also Seth Russell authenticated to “seth.russell@bunkey.com”.   

So in my browser i go to the destination domain and in a group and click on a dialogue that says migrate my thouught ___  to domain ____  into this group i am positioned.   Seems to me then the destinaton domain has all the informtion it needs to do a GET throught its API for the content of the thought from the source domain.   

Because both the source person and the destination person are the same … have the same authentication string, seth.russell@bunkey.com,  the transfer is authorized.  

We could also add an additional requirement that the source and destination domains had authorized each other for such transfers … some kind of security code between the domains.  

And there may be some need that the person is logged into both domains and/or that the person has authoized such transfers between those two domains.  
dA 2016-01-18 10:38:31 [item 19695#42640]
Yes. I know how this stuff works. I have set it up several times before and I designed the testing on a full blown multiple social service login system for microsoft’s so.cl site that did exactly this kind of cross domain stuff. I am not saying it can’t work, all I ever said is that it is not the same as being directly logged into a site and https makes it need less code. That’s all.
seth 2016-01-18 10:44:29 [item 19695#42643]
okay .. understood … a little more code.   sorry about that.

anyway i expect that i would get a ssl for one reach out domain just as soon as this starts to take off.   i doubt that i could afford two certificates … one for fbi and one for thinking.org (or whatever).  

then as we get our first real domain customer … we will make a strong case there for her to buy her ssl.   

but in any case, if this is going to start … insisting on only ssl to ssl migrating is going to be a inordinate drag on growth.
That’s okay. And actually inmotion comes with ssl, it’s just a stupid name like http://198234794823.inmotionhosting.com for each site. But I might be able to use that behind the scenes for ssl. We can also install our own generated ssl key, it will just put up a certificate not validated warning, but that may be able to be hidden for ajax. The real need is for customer security on the front end. I’m not going to rwg with you on that … have no desire to go looking up stuff like Mark does. You will probably have it before you get bit by it anyway. There is some date upon which it becomes mandatory to have the new requirements in place, I don’t want to look that up either. That’s for webmasters to do.